Every day we see headlines highlighting the cybersecurity threats facing society. What was once perceived as a futuristic scenario is too realistic today. Global conflicts have made us realize that there is always a threat led by hackers (presumably backed by dubious organizations).
Then there are criminals who see ransomware as a vehicle for financial gain. Cybersecurity threats are growing as our society becomes more and more connected. The automotive industry is not defenseless against these threats and must act before the battle is lost.
An unprecedented challenge
Cars, which were previously hardware-centric platforms, are increasingly software-driven. Almost everything in a vehicle is controlled by software in some way. This creates an unprecedented cybersecurity challenge that must be addressed throughout the vehicle lifecycle and thus the entire development process.
From concept to development stage. From production to maintenance and software upgrades. However, this is a huge undertaking. Especially if you are not the manufacturer of all the hardware and software components.
Automakers rely on many sub-suppliers for their units and software, requiring a forensic approach to cybersecurity across the distribution chain to protect themselves from the constant threats they face today. In addition to this, functional safety goals may conflict with cybersecurity goals, further adding to the complexity surrounding the issue.
If cybersecurity works, no one will probably notice. But if not, everyone will know. No cybersecurity department or security team within an enterprise can solve this task alone. Everyone in the company, from board members and senior management to developers and service providers, should commit to and contribute to cybersecurity.
Cybersecurity threats are not static, they evolve over time. Like an army, it must be continuously trained to be effective when real combat occurs.
Therefore, both vehicle hardware/software and organizations need to be “trained” on how to detect and mitigate these threats in order to be able to respond to them in an effective manner.
Hardware/software training can be done in a cyber test lab, attack simulation and penetration testing can be done at all stages of development, and feed into post-deployment over-the-air (OTA) updates. But it is also important to train the organization.
The effectiveness of the chain of command, from engineers to security personnel to management, has a significant impact on the severity a cybersecurity incident can cause. Today’s mobility services are often not run by the car manufacturers themselves, but by other companies such as cloud service providers and app providers.
How would you handle the chain of command between various stakeholders in the event of a cybersecurity incident? That can be practiced in the so-called cyber range.
don’t stand alone
To stay at the forefront of automotive cybersecurity, industry, research institutes, and academia need to work together. Security personnel are not the only ones who have to deal with cybersecurity, so there is a great need for competence in this area. Working together on research, testing and training that makes the most of our collective resources is the way forward.
The ability to deal with new and increasingly complex threats is what the industry needs. With data becoming digital gold, is society compelled not to address this challenge today? Only the future will tell. Let the battle begin.